Guild Wars 2

It seems that every new player for accounts made after 28 August, 2015 will have to hiccup at every stage of their in-game communications by having to authenticate each in-game message, send items or gold, or access to guild vaults with SMS verification being sent to their phones.

Noted, with distaste.
Why throw a stumbling-stone in one’s path for almost every single daily transaction? I do not know what player misbehaviour warranted this decision, but it is very irritating and invasive to new players (who are supposed to bring fresh blood to Arenanet coffers and thereby continue our beautiful Tyria).
I am also certain my gaming activity is none of my telephone network’s business.
Appreciated that these restrictions do not apply to older accounts.

I cannot offer an alternative, save that these nice, shiny, and EXPENSIVE HoT accounts be allowed freedom of transaction as they please, with the SMS verification removed entirely. If it must exist, then let it be only once, then removed permanently, without being forced to use email verification as an alternative.

Security is great, but convenience and an open welcome to Heart of Thorns are better.
Have faith in us, dear ArenaNet.
Remove these restrictions.

If we see anything wrong in our transactions or account safety, we will let you know.

From what I understand you only have to attach the authenticator to your account and you don’t have to authenticate each and every single transaction.

Yes, it is just one time thing you have to do. SMS autenciator is quick and easy and secure and also an extra confirmation that this account is not for scamming.

It is really stupid to complain about Anet wants us to be extra protected, it takes less than 5min to apply. I am happy for every security measure I can get and both SMS and Email verification is one time if you are on your home computer and if you are playing at internet cafés and other public networks you should be happy for every protection there is becouse it is nowdays so darn easy to hack an account.

‘If we see anything wrong in our transactions or account safety, we will let you know.’ – So you would rather wait until the bomb has blown up in your face than not having a bomb going of at all?

Er, add phone number once, if connecting from the same IP, no issues thereafter?

Can’t see this being much of an issue…

The added securtiy against account theft is much welcomed. There already was the email notification when connecting from a new IP, but email adres access can be gained via social engineering.

Getting your phone number is whole lot harder, so the gains for your account securty far outweight the minor inconvenience. After all, it really only sends that if you login from a new IP.
If you travel a lot this can be anoying, but really takes about 2 minutes tops from your time. Loading a zone can take longer sometimes.

Asumir.1978:

I do not know what player misbehaviour warranted this decision

Weak security practices. The average person does not know what they’re doing. The requirement for a secondary authentication is an attempt to reduce the amount of support tasks caused by hacked accounts. It may be annoying to players, but it does save resources for ArenaNet.

For the more secure players however, email authentication is the better option. It’s unfortunate that new people will be forced to actually reduce their security due to the lack of security of other people. An email account with multiple authentications is going to be far more secure than what is being offered here and if you do use what is offered here, you lose the superior protection that your email provided. In a worst case scenario however, none of these options will save you because your IP range is a vulnerability.

Faab.8049:

Getting your phone number is whole lot harder, so the gains for your account securty far outweight the minor inconvenience. After all, it really only sends that if you login from a new IP.

The code is vulnerable to phishing. People fell for the obvious scam where they managed to type in that long URL without realizing it. If people are going to do that, they’re going to enter their code when prompted. It only takes a single code for their IP to be remembered.

Healix.5819:

Faab.8049:

Getting your phone number is whole lot harder, so the gains for your account securty far outweight the minor inconvenience. After all, it really only sends that if you login from a new IP.

The code is vulnerable to phishing. People fell for the obvious scam where they managed to type in that long URL without realizing it. If people are going to do that, they’re going to enter their code when prompted. It only takes a single code for their IP to be remembered.

I’m not sure what you are referring to. Are you saying that Email Authentication is more secure than SMS authentication?
Off topic a bit: I’ve secured my email addresses with unique passwords, but a lot of people re-use theirs across their Target and Gmail accounts. Get one, you get the others. My phone is with me all the time, and to be able to gain access to the code in the SMS they need to be within ~2km to intercept the message and decrypt it (pretending to be an antenna, have the proper hardware etc). That 2-factor authentication is widely in use by major web services (twitter, Facebook etc) and works fine.

I have recieved a number of phising mails from fake Anet/GW2 accounts over the years to try and get me to enter the information. I recongized them, but they were good and I can see people falling for them.
But if you then add SMS authentication for confirming a password change request, that would start ringing some bells that you made a mistake.

Or are you talking about the GW2 code itself that can be subverted? Or something else?

For a long time, the majority of in game gold seller spam was from what looked like legit accounts, comprehensible names with non gibberish character names.

This is because early on they were all/mostly stolen accounts.
Note: they were not hacked accounts. To say “I got hacked” is to place the blame on ArenaNet for weak security. When in truth what happened is these [redacted][redacted][redacted] used the same username and password for multiple sites/games and when the other much weaker site is compromised their credentials are taken and the thieves attempt to login to other major systems with them.
In this case the stolen info lets them log into the GW2 accounts, strip them of gold (all that gold they’re selling for $$$, yeah it was stolen from another player), and use them as spam bots until they get banned/reclaimed.
Their second vector of attack is the sites they spam for selling gold often contain malware, usually a keylogger, to record the username/password of people who buy gold.
The buyers account is then compromised, stripped (including the gold they just bought), and again used as a spam bot.

Adding two factor authentication makes those attacks significantly harder to pull off.
Thus the more recent spam asking for your secret key, which lets the attacker add your token to a device of their own and totally bypassing that security layer.

I have zero sympathy or patience for the willfully ignorant, who refuse to even try to understand the basics of technology and security, who insist they don’t care how insecure it is. Their poor choice risks and effects the people around them as well, so I am in total support of enforcing minimum levels of security regardless of how it might inconvenience them.
Trust me its less of an inconvenience than losing your game account.
Or your e-mail account.
Or your bank account.

To expand on Scribe’s excellent post:

• ANet tried to offer advice to reduce account theft; that didn’t work.
• They tried to make it obvious when ANet was sending official mail (and what it might contain); that didn’t work.
• They tried putting restrictions on guild banks, on new players, etc; that didn’t work.

In the end, they have been unable to reduce account theft because the most vulnerable step in the process has been the account owner’s security — not everyone, of course, just far too many.

tl;dr it’s a small individual sacrifice for each of us and a big value for the community as a whole.

Asumir.1978:

It seems that every new player for accounts made after 28 August, 2015 will have to hiccup at every stage of their in-game communications by having to authenticate each in-game message, send items or gold, or access to guild vaults with SMS verification being sent to their phones.

Noted, with distaste.
Why throw a stumbling-stone in one’s path for almost every single daily transaction? I do not know what player misbehaviour warranted this decision, but it is very irritating and invasive to new players (who are supposed to bring fresh blood to Arenanet coffers and thereby continue our beautiful Tyria).
I am also certain my gaming activity is none of my telephone network’s business.
Appreciated that these restrictions do not apply to older accounts.

I cannot offer an alternative, save that these nice, shiny, and EXPENSIVE HoT accounts be allowed freedom of transaction as they please, with the SMS verification removed entirely. If it must exist, then let it be only once, then removed permanently, without being forced to use email verification as an alternative.

Security is great, but convenience and an open welcome to Heart of Thorns are better.
Have faith in us, dear ArenaNet.
Remove these restrictions.

If we see anything wrong in our transactions or account safety, we will let you know.

I think you are most confused. Authentication only…only is required when logging into your account. No authentication is needed once inside the game. You may be confusing the restrictions on accessing certain features being alleviated by adding 2F authentication with authenticating each transaction in-game.

Good luck.

I had an old email account attached to my gw2, one I stopped using) and it got hacked and they were able to use this email to take my account from the current email (because support is really easy to trick..) I fought for 2 months losing access to my account multiple times constantly asking for them to add some sort of verification to my account, to ignore any email from emails that where not current etc. After 2 months they finally gave me a new CD key that is now required to make any changes to my account. If they has just had phone verification in the first place it would have been a complete non issue.

Phone verification is a godsend.

I used WinAuth, it took 2 minutes. It only asks for the code if you log in from a different location so you don’t even notice it’s there.